Great to hear you're finally getting some relief. You didn't provide any information on your organization's setup...
in your question, so I have to say the answer to your first question is "it depends." The rule of thumb for user account controls is to do it as close to the user as possible: That means you need to be able to verify that the requestor was really the person who made the request, in order to prevent creating accounts when they're not warranted. If you're located in the same general geographic area or can easily contact the requestor to validate that he or she, or his or her manager, made the request, then central administration is fine. If, however, there are language issues, you don't have an easy way to verify user requests, or have a highly distributed, or political, or siloed business model, then distributed administration makes more sense.
As far as who watches the watcher, this question has been debated for years. As mentioned in another question, separation of duty (SoD) best practices dictate that an account administrator should not be able to set up accounts or privileges for him or herself for all the reasons you mentioned above. So in order to monitor these activities, it's important to have an audit function within the organization. Whether this is owned by the legal group, the compliance group or even network engineering -- who can sniff out unauthorized traffic -- the decision is an organization-specific one. If an audit group isn't feasible due to cost, lack of experience, size of organization, politics, etc., then the only alternative is to have HR conduct periodic background checks of the people who have this function. They would look at criminal and financial information to ensure the likelihood of authorized users doing unauthorized activities is not influenced by outside pressures. Great administrators have gone bad due to pressures posed by gambling, divorce, mortgage debt, etc. I'd also look at personality. You want happy people that like their job, who get along well with others and are genuinely honest doing this work. Brooding administrators are always a bad sign.
Finally, the U.S. Government's CERT group has many good guidelines on mitigating the insider threat. You should go to their site and learn all warning signs of potentially dangerous administrators and activities to look out for. Good luck with your new administrator, and hopefully now you can take that vacation I'm sure you've been putting off.
For more information:
- Learn more best practices for segregation of duties.
- Check out this tip on identitly lifecycle management for compliance.
Dig Deeper on Privileged access management
Related Q&A from Randall Gamby
Learn how to create account lockout policies that detail how many unsuccessful login attempts are allowed before a password lockout in order to ... Continue Reading
When it comes to minimum password length, 14-character passwords are generally considered secure, but they may not be enough to keep your enterprise ... Continue Reading
Enterprise SSO products have matured over the years, so what's the state of eSSO today? Expert Randall Gamby discusses. Continue Reading